Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Achtung! Ihr Windows System wurde blockiert! 100 Euro zahlen (https://www.trojaner-board.de/108855-achtung-windows-system-wurde-blockiert-100-euro-zahlen.html)

birrrd 01.02.2012 10:10
Achtung! Ihr Windows System wurde blockiert! 100 Euro zahlen
 
Hallo!

Ich habe es das erste mal mit einem Trojaner zu tun und würde mich deswegen über genaue Beschreibung der Problem-Behandlung freuen.
Wenn ich Windows 7 starte erscheint sofort der Bildschirm, dass Windows gesperrt wurde und ich werde aufgefordert 100 Euro mit eine speziellen Karte zu bezahlen.

Habe den Laptop jetzt im abgesicherten Modus gestartet und OTL auf dem Desktop gespeichert.
Soll ich nun einfach auf scan drücken?

Wie soll ich weiter vorgehen?

Über Hilfe wäre ich sehr dankbar!
MfG Franzi

birrrd 01.02.2012 10:26
Ich habe jetzt den Scan, wie in dem OTL.exe thread beschrieben, laufen lassen.

Hier mein OTL.Txt:OTL Logfile:
Code:
OTL logfile created on: 01.02.2012 10:20:08 - Run 1
OTL by OldTimer - Version 3.2.31.0    Folder = C:\Users\berta\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,99 Gb Total Physical Memory | 2,38 Gb Available Physical Memory | 79,51% Memory free
5,99 Gb Paging File | 5,44 Gb Available in Paging File | 90,80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 142,65 Gb Total Space | 49,78 Gb Free Space | 34,89% Space Free | Partition Type: NTFS
Drive D: | 142,67 Gb Total Space | 47,14 Gb Free Space | 33,04% Space Free | Partition Type: NTFS
 
Computer Name: BERTA-PC | User Name: berta | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\berta\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Programme\Mozilla Firefox\mozjs.dll ()
MOD - C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (McNeelUpdate) -- C:\Program Files\McNeelUpdate\5.0\McNeelUpdateService.exe (Robert McNeel & Associates)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (getPlusHelper) getPlus(R) -- C:\Programme\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (vmbus) -- C:\Windows\system32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (yukonw7) -- C:\Windows\System32\drivers\yk62x86.sys (Marvell)
DRV - (netw5v32) Intel(R) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (TPkd) -- C:\Windows\System32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)
DRV - (DNE) -- C:\Windows\System32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (CVirtA) -- C:\Windows\System32\drivers\CVirtA.sys (Cisco Systems, Inc.)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Babylon Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = MSN, Messenger und Hotmail sowie Nachrichten, Unterhaltung, Video, Sport, Lifestyle, Finanzen, Auto uvm. bei MSN
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 13 13 B4 96 8A BB CA 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://web.de/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: o2cplayer@eleco.com:2.0.0.54
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=240e99d1000000000000001d72c6cb76&tlver=1.4.35.10&affID=100842"
FF - prefs.js..network.proxy.type: 4
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.01.30 23:12:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.01.25 10:55:09 | 000,000,000 | ---D | M]
 
[2009.11.06 12:00:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\berta\AppData\Roaming\mozilla\Extensions
[2011.10.25 22:20:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\berta\AppData\Roaming\mozilla\Firefox\Profiles\yq7qk2sp.default\extensions
[2011.11.23 11:51:08 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2012.01.30 23:12:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.05.04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012.01.30 23:12:46 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.10.25 22:11:49 | 000,002,288 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012.01.30 23:12:46 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.01.30 23:12:46 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.01.30 23:12:46 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.01.30 23:12:46 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.01.30 23:12:46 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe File not found
O4 - HKCU..\Run: [AdobeBridge]  File not found
O4 - HKCU..\Run: [vasja] C:\Users\berta\AppData\Local\Temp\0.12995208779951317.exe (Quick Heal Technologies (P) Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.69.252.252 129.69.252.212 129.69.252.202
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{02C9BAB1-F260-46CC-8A73-BF22E85A400B}: DhcpNameServer = 129.69.252.252 129.69.252.212 129.69.252.202
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{0688b652-7174-11df-ae64-9c8dfea9031e}\Shell - "" = AutoRun
O33 - MountPoints2\{0688b652-7174-11df-ae64-9c8dfea9031e}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{312b5d77-2053-11df-bfc3-001d72c6cb76}\Shell - "" = AutoRun
O33 - MountPoints2\{312b5d77-2053-11df-bfc3-001d72c6cb76}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.02.01 09:55:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\berta\Desktop\OTL.exe
[2012.01.31 14:16:47 | 000,000,000 | ---D | C] -- C:\Users\berta\Documents\Downloads
[2012.01.31 00:05:28 | 000,000,000 | ---D | C] -- C:\Users\berta\AppData\Local\3dmouse
[2012.01.30 23:19:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rhinoceros 5.0 Evaluation
[2012.01.30 23:19:00 | 000,000,000 | ---D | C] -- C:\Program Files\McNeelUpdate
[2012.01.30 23:18:42 | 000,000,000 | ---D | C] -- C:\Program Files\Rhinoceros 5.0 Evaluation
[2012.01.30 23:08:10 | 000,000,000 | ---D | C] -- C:\Users\berta\AppData\Roaming\McNeel
[2012.01.30 23:05:27 | 000,249,856 | ---- | C] (TODO: <Company name>) -- C:\Windows\System32\pdfmona.dll
[2012.01.30 23:05:27 | 000,000,000 | ---D | C] -- C:\ProgramData\pdf995
[2012.01.30 23:05:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Software995
[2012.01.30 23:05:05 | 000,000,000 | ---D | C] -- C:\pdf995
[2012.01.30 23:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Rhinoceros 5.0 WIP
[2012.01.30 22:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012.01.25 11:00:06 | 000,000,000 | ---D | C] -- C:\Program Files\Vectorworks 2012 Hilfe
[2012.01.25 10:54:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012.01.25 10:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012.01.25 10:54:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2012.01.25 10:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2012.01.25 10:51:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vectorworks2012
[2012.01.25 10:39:46 | 000,000,000 | ---D | C] -- C:\Program Files\Vectorworks2012
[2012.01.23 19:01:36 | 000,314,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webio.dll
[2012.01.23 19:01:36 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sspisrv.dll
[2012.01.22 17:49:06 | 000,000,000 | ---D | C] -- C:\ProgramData\CanonIJWSpt
[2012.01.22 17:49:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iX6500 series Benutzerregistrierung
[2012.01.22 17:49:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CANON
[2012.01.22 17:48:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
[2012.01.22 17:48:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iX6500 series Manual
[2012.01.22 17:48:05 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ
[2012.01.22 17:47:48 | 000,000,000 | -H-D | C] -- C:\Windows\System32\CanonIJ Uninstaller Information
[2012.01.22 17:47:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iX6500 series
[2012.01.22 17:47:18 | 000,303,104 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNMLMAO.DLL
[2012.01.22 17:47:10 | 000,180,224 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNMIUAO.DLL
[2012.01.22 17:46:58 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2012.01.22 17:45:11 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2012.01.21 12:24:32 | 000,599,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2012.01.21 12:24:32 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012.01.21 12:24:31 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012.01.21 12:24:31 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012.01.21 12:24:31 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012.01.21 12:21:46 | 002,342,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012.01.21 12:21:40 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2012.01.21 12:21:34 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\packager.dll
[2012.01.21 12:21:33 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2012.01.21 12:21:32 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2012.01.21 12:21:30 | 001,328,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2012.01.21 12:21:30 | 000,514,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qdvd.dll
[2012.01.21 12:21:21 | 003,967,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012.01.21 12:21:21 | 003,912,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.02.01 09:54:38 | 000,696,132 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.02.01 09:54:38 | 000,651,450 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.02.01 09:54:38 | 000,147,428 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.02.01 09:54:38 | 000,120,382 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.02.01 09:49:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.02.01 09:49:31 | 2411,876,352 | -HS- | M] () -- C:\hiberfil.sys
[2012.02.01 09:28:26 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\berta\Desktop\OTL.exe
[2012.02.01 09:26:20 | 000,802,113 | ---- | M] () -- C:\Users\berta\Desktop\Unlocker1.9.1.exe
[2012.01.31 21:03:27 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.01.31 20:36:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.01.31 20:26:06 | 000,013,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.01.31 20:26:06 | 000,013,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.01.31 10:45:52 | 000,001,143 | ---- | M] () -- C:\Users\berta\Desktop\Rhinoceros 5.0 Evaluation.lnk
[2012.01.30 23:19:13 | 000,000,400 | ---- | M] () -- C:\Windows\System32\drivers\ifxjxy_706.set
[2012.01.30 23:19:13 | 000,000,400 | ---- | M] () -- C:\Windows\System32\drivers\dhtrugl316.dat
[2012.01.30 23:19:13 | 000,000,400 | ---- | M] () -- C:\Windows\d_nhqnsp277.ini
[2012.01.30 23:05:41 | 000,000,131 | ---- | M] () -- C:\Windows\wpd99.drv
[2012.01.30 23:05:27 | 000,249,856 | ---- | M] (TODO: <Company name>) -- C:\Windows\System32\pdfmona.dll
[2012.01.30 23:05:27 | 000,051,716 | ---- | M] () -- C:\Windows\System32\pdf995mon.dll
[2012.01.29 12:09:38 | 299,523,993 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012.01.26 17:07:03 | 000,071,081 | ---- | M] () -- C:\Users\berta\Desktop\STAATSTHEATER STUTTGART.pdf
[2012.01.25 11:04:24 | 000,001,062 | ---- | M] () -- C:\Users\berta\Desktop\Vectorworks2012E.lnk
[2012.01.23 20:24:02 | 000,000,287 | ---- | M] () -- C:\Users\berta\AppData\Local\VersionChecker_16.xml
[2012.01.22 17:48:37 | 000,002,310 | ---- | M] () -- C:\Users\Public\Desktop\Canon iX6500 series Online-Handbuch.lnk
[2012.01.22 16:58:37 | 002,209,584 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.01.21 12:13:26 | 000,001,988 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.02.01 09:55:45 | 000,802,113 | ---- | C] () -- C:\Users\berta\Desktop\Unlocker1.9.1.exe
[2012.01.31 10:45:52 | 000,001,143 | ---- | C] () -- C:\Users\berta\Desktop\Rhinoceros 5.0 Evaluation.lnk
[2012.01.30 23:19:13 | 000,000,400 | ---- | C] () -- C:\Windows\System32\drivers\ifxjxy_706.set
[2012.01.30 23:19:13 | 000,000,400 | ---- | C] () -- C:\Windows\System32\drivers\dhtrugl316.dat
[2012.01.30 23:19:13 | 000,000,400 | ---- | C] () -- C:\Windows\d_nhqnsp277.ini
[2012.01.30 23:05:27 | 000,051,716 | ---- | C] () -- C:\Windows\System32\pdf995mon.dll
[2012.01.30 23:05:27 | 000,000,131 | ---- | C] () -- C:\Windows\wpd99.drv
[2012.01.26 17:07:30 | 000,071,081 | ---- | C] () -- C:\Users\berta\Desktop\STAATSTHEATER STUTTGART.pdf
[2012.01.25 11:04:24 | 000,001,062 | ---- | C] () -- C:\Users\berta\Desktop\Vectorworks2012E.lnk
[2012.01.22 17:48:37 | 000,002,310 | ---- | C] () -- C:\Users\Public\Desktop\Canon iX6500 series Online-Handbuch.lnk
[2012.01.21 12:13:26 | 000,001,988 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2012.01.21 12:13:25 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011.11.15 11:48:40 | 000,000,221 | ---- | C] () -- C:\Windows\SOFTEK.INI
[2011.07.02 11:20:03 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.01.28 17:21:07 | 000,000,287 | ---- | C] () -- C:\Users\berta\AppData\Local\VersionChecker_16.xml
[2010.09.17 12:37:11 | 000,000,146 | ---- | C] () -- C:\Windows\ricdb.ini
[2010.05.27 13:25:42 | 000,000,100 | ---- | C] () -- C:\Windows\Grips.INI
[2010.03.28 15:28:19 | 000,000,287 | ---- | C] () -- C:\Users\berta\AppData\Local\VersionChecker_15.xml
[2010.03.19 22:35:56 | 000,000,266 | ---- | C] () -- C:\Windows\s21.ini
[2009.11.30 16:54:21 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2009.11.06 17:39:09 | 000,000,065 | ---- | C] () -- C:\Windows\FISHUI.INI
[2009.11.06 14:00:54 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2009.11.06 12:43:46 | 000,000,287 | ---- | C] () -- C:\Users\berta\AppData\Local\VersionChecker_14.xml
[2009.08.03 00:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009.08.03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009.08.03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009.08.03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009.07.14 09:47:43 | 000,696,132 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2009.07.14 09:47:43 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2009.07.14 09:47:43 | 000,147,428 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2009.07.14 09:47:43 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2009.07.14 05:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009.07.14 05:33:53 | 002,209,584 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009.07.14 03:05:48 | 000,651,450 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009.07.14 03:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009.07.14 03:05:48 | 000,120,382 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009.07.14 03:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009.07.14 03:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009.07.14 03:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009.07.14 00:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009.07.14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.06.10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006.03.09 09:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
 
========== LOP Check ==========
 
[2011.10.25 22:11:48 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\Babylon
[2011.02.10 01:33:04 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\DataCast
[2011.04.18 12:59:47 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\Dropbox
[2010.05.02 18:34:50 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\eu.computerworks.vectorworks.2010.help.deu.C597E665C9D833B0F52B09434821DFAEF4904789.1
[2011.02.01 13:05:35 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\eu.computerworks.vectorworks.2011.help.deu.07222458214E034A0B494E83FAD6744C17D2B914.1
[2011.10.30 23:47:04 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\Grasshopper
[2010.08.16 20:07:38 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\ICQ
[2011.04.26 17:19:13 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\MAXON
[2012.01.30 23:08:10 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\McNeel
[2009.11.06 12:43:29 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\Nemetschek
[2009.11.06 12:43:23 | 000,000,000 | ---D | M] -- C:\Users\berta\AppData\Roaming\PACE Anti-Piracy
[2012.01.22 17:11:31 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 971 bytes -> C:\ProgramData\Microsoft:avG8xExgmkjIRWKcDBQZKBhub
@Alternate Data Stream - 1214 bytes -> C:\Program Files\Common Files\microsoft shared:0ga9PbhpPvg10ZTM5GnIxM5q0
@Alternate Data Stream - 1198 bytes -> C:\Users\berta\AppData\Local\JzVpumODXX3TczS:ah8Diq0Q9VQtikZ9UJDv3oUB
@Alternate Data Stream - 1196 bytes -> C:\Program Files\Common Files\System:iJ3pl5oRGqRo0bHsXsXwCCW0
@Alternate Data Stream - 1109 bytes -> C:\ProgramData\Microsoft:pJhO2DWggP3fu2G1QOgR6wpZr

< End of report >
--- --- ---
Und mein Extras.Txt:OTL Logfile:
Code:
OTL Extras logfile created on: 01.02.2012 10:20:08 - Run 1
OTL by OldTimer - Version 3.2.31.0    Folder = C:\Users\berta\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,99 Gb Total Physical Memory | 2,38 Gb Available Physical Memory | 79,51% Memory free
5,99 Gb Paging File | 5,44 Gb Available in Paging File | 90,80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 142,65 Gb Total Space | 49,78 Gb Free Space | 34,89% Space Free | Partition Type: NTFS
Drive D: | 142,67 Gb Total Space | 47,14 Gb Free Space | 33,04% Space Free | Partition Type: NTFS
 
Computer Name: BERTA-PC | User Name: berta | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{098A2A49-7CF3-4F08-A38D-FB879117152A}" = Adobe Color NA Extra Settings CS4
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}" = Adobe Color EU Recommended Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iX6500_series" = Canon iX6500 series Printer Driver
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{1CE8E6EB-3077-4E90-9C53-28B7015231D9}" = Google SketchUp Pro 8
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x32
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 26
"{342F5437-C87D-4BB5-89B9-B23E16C6A395}" = Microsoft Visual C++ 8.0 Support DLLs
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4F2110EE-6C26-FF78-18D8-D31B5FE46A8D}" = Vectorworks 2011 Hilfe
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{586CCF4B-7546-40B1-96A7-E8EDB158F5FF}" = Rhinoceros 5.0 Evaluation
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5C2CBFFD-FC3B-4AA9-993B-CE2B8DA25B87}" = Rhinoceros 4.0
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator 3.0.0
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87C2FAFA-E830-E3B1-A50E-876D00939884}" = Vectorworks 2012 Hilfe
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90280407-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional mit FrontPage
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{95E1E426-EE9E-4F68-8F02-58A5A09B38F3}" = Rhinoceros 4.0 SR8
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.0 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C911A0C2-2236-3164-AA47-F2566C01AE5E}" = Microsoft .NET Framework 4 Extended DEU Language Pack
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{DA703982C580418795BF4001AA9D7061}" = DivX Plus Media Foundation Components
"{DD1DED37-2486-4F56-8F89-56AA814003F5}" = Acer Crystal Eye Webcam
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}" = Windows Resource Kit Tools
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Canon iX6500 series Benutzerregistrierung" = Canon iX6500 series Benutzerregistrierung
"CanonMyPrinter" = Canon My Printer
"eu.computerworks.vectorworks.2011.help.deu.07222458214E034A0B494E83FAD6744C17D2B914.1" = Vectorworks 2011 Hilfe
"eu.computerworks.vectorworks.2012.help.deu.07222458214E034A0B494E83FAD6744C17D2B914.1" = Vectorworks 2012 Hilfe
"Grasshopper" = Grasshopper
"LManager" = Launch Manager
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack
"Mozilla Firefox 9.0.1 (x86 de)" = Mozilla Firefox 9.0.1 (x86 de)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"Paint Shop Pro 5.03" = Paint Shop Pro 5.03 CD
"Pdf995" = Pdf995
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Vectorworks ArchLand 2009 SP2 R1" = Vectorworks ArchLand 2009 SP2 R1
"Vectorworks ArchLand 2010 SP2 R1" = Vectorworks ArchLand 2010 SP2 R1
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 24.07.2011 14:40:53 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 25.07.2011 13:32:15 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 25.07.2011 16:21:29 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 26.07.2011 16:03:51 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 27.07.2011 17:49:03 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 28.07.2011 13:55:32 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 28.07.2011 19:18:27 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 29.07.2011 04:10:35 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 29.07.2011 05:19:46 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
Error - 30.07.2011 05:50:50 | Computer Name = berta-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>.
 Fehler: Die Daten sind unzulässig.  .
 
[ McNeel Events ]
Error - 31.01.2012 08:55:35 | Computer Name = berta-PC | Source = McNeel Update Service (version 5.1) | ID = 0
Description = Error,Download failed permanently for '{{hxxp://store.mcneel.com/api/v1/mcneelupdate/60515f84-8f7f-41da-801d-1c87e32f88f5/evaluation/win32/en-us/weekly/}}'
 -> '{{C:\ProgramData\McNeel\McNeelUpdate\DownloadCache\f36cd429a6a51918aa3430a83d86baa2\update.xml}}',5.1.2012.105
 
[ System Events ]
Error - 01.02.2012 05:19:31 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:20:42 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:20:42 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:20:42 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:22:01 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:22:01 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:22:01 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:22:01 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:22:01 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 01.02.2012 05:22:01 | Computer Name = berta-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
 
< End of report >
--- --- ---

markusg 01.02.2012 12:00
hi


dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.


• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.



Code:
:OTL
O4 - HKCU..\Run: [vasja] C:\Users\berta\AppData\Local\Temp\0.12995208779951317.exe (Quick Heal Technologies (P) Ltd.)
 :Files
C:\Users\berta\AppData\Local\Temp\0.12995208779951317.exe
:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[Reboot]


• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Drücke bitte die http://larusso.trojaner-board.de/Images/windows.jpg + E Taste.
  • Öffne dein Systemlaufwerk ( meistens C: )
  • Suche nun
    folgenden Ordner: _OTL und öffne diesen.
  • Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner

  • Dies wird eine Movedfiles.zip Datei in _OTL erstellen
  • Lade diese bitte in unseren Uploadchannel
    hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )
Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus :)

birrrd 01.02.2012 12:55
Vielen vielen Dank für die schnelle Antwort!

Textdokument nach dem Neustart:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vasja not found.
C:\Users\berta\AppData\Local\Temp\0.12995208779951317.exe moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 56958 bytes

User: All Users

User: berta
->Flash cache emptied: 164669 bytes

User: Default
->Flash cache emptied: 56468 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 426933 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 7191499 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: berta
->Temp folder emptied: 5284563283 bytes
->Temporary Internet Files folder emptied: 59572968 bytes
->Java cache emptied: 25786674 bytes
->FireFox cache emptied: 53162023 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 332510001 bytes
RecycleBin emptied: 8578747428 bytes

Total Files Cleaned = 13.678,00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 02012012_123507

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Upload hat prombelmlos funktioniert! Und es scheint wieder alles in Ordnung zu sein. Meint ihr, ich sollte trotzdem Windows komplett neu aufspielen?
Oder soll ich noch einen anderen Scan durchführen?

Das hier ist echt ein super Forum!
Gruß, Franzi

markusg 01.02.2012 13:05
danke für den upload, wir gucken mal noch weiter.
Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich
ziehen und eine Bereinigung der Infektion noch erschweren.

Bitte downloade dir Combofix.exe und speichere es unbedingt auf deinem Desktop.
  • Besuche folgende Seite für Downloadlinks und Anweisungen für dieses
    Tool

    Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Hinweis:
    Gehe sicher das all deine Anti Virus und Anti Malware Programme abgeschalten sind, damit diese Combofix nicht bei der Arbeit stören.
  • Poste bitte die C:\Combofix.txt in deiner nächsten Antwort.

birrrd 01.02.2012 18:06
Okay! Combofix durchgeführt:
Combofix Logfile:
Code:
ComboFix 12-02-01.01 - berta 01.02.2012  17:54:38.1.2 - x86
Microsoft Windows 7 Professional  6.1.7601.1.1252.49.1031.18.3067.2231 [GMT 1:00]
ausgeführt von:: c:\users\berta\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\IsUn0407.exe
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-01-01 bis 2012-02-01  ))))))))))))))))))))))))))))))
.
.
2012-02-01 11:35 . 2012-02-01 11:49        --------        d-----w-        C:\_OTL
2012-02-01 10:37 . 2012-02-01 11:49        --------        d-----w-        c:\programdata\Spybot - Search & Destroy
2012-02-01 10:37 . 2012-02-01 10:37        --------        d-----w-        c:\program files\Spybot - Search & Destroy
2012-02-01 10:36 . 2012-02-01 10:36        --------        d-----w-        c:\users\berta\AppData\Roaming\Malwarebytes
2012-02-01 10:36 . 2012-02-01 10:36        --------        d-----w-        c:\programdata\Malwarebytes
2012-01-31 09:52 . 2012-01-17 03:39        6557240        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{074975FA-9E80-43A4-BD4C-5B46E9C85E36}\mpengine.dll
2012-01-30 23:05 . 2012-01-30 23:05        --------        d-----w-        c:\users\berta\AppData\Local\3dmouse
2012-01-30 22:19 . 2012-01-30 22:19        400        ----a-w-        c:\windows\system32\drivers\dhtrugl316.dat
2012-01-30 22:19 . 2012-01-30 22:19        --------        d-----w-        c:\program files\McNeelUpdate
2012-01-30 22:18 . 2012-01-30 22:19        --------        d-----w-        c:\program files\Rhinoceros 5.0 Evaluation
2012-01-30 22:12 . 2012-01-30 22:12        548864        ----a-w-        c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-30 22:12 . 2012-01-30 22:12        479232        ----a-w-        c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-30 22:12 . 2012-01-30 22:12        43992        ----a-w-        c:\program files\Mozilla Firefox\mozutils.dll
2012-01-30 22:12 . 2012-01-30 22:12        626688        ----a-w-        c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-30 22:08 . 2012-01-30 22:08        --------        d-----w-        c:\users\berta\AppData\Roaming\McNeel
2012-01-30 22:05 . 2012-02-01 08:47        --------        d-----w-        c:\programdata\pdf995
2012-01-30 22:05 . 2012-01-30 22:05        131        ----a-w-        c:\windows\wpd99.drv
2012-01-30 22:05 . 2012-01-30 22:05        51716        ----a-w-        c:\windows\system32\pdf995mon.dll
2012-01-30 22:05 . 2012-01-30 22:05        249856        ----a-w-        c:\windows\system32\pdfmona.dll
2012-01-30 22:05 . 2012-01-30 22:05        --------        d-----w-        C:\pdf995
2012-01-30 22:04 . 2012-01-30 22:13        --------        d-----w-        c:\program files\Rhinoceros 5.0 WIP
2012-01-30 21:49 . 2012-01-30 21:49        --------        d-----w-        c:\program files\Microsoft.NET
2012-01-25 10:00 . 2012-01-25 10:02        --------        d-----w-        c:\program files\Vectorworks 2012 Hilfe
2012-01-25 09:54 . 2012-01-25 09:54        --------        d-----w-        c:\programdata\Apple Computer
2012-01-25 09:53 . 2012-01-25 09:53        --------        d-----w-        c:\program files\Common Files\Apple
2012-01-25 09:39 . 2012-01-25 10:02        --------        d-----w-        c:\program files\Vectorworks2012
2012-01-23 18:01 . 2011-11-17 05:41        134000        ----a-w-        c:\windows\system32\drivers\ksecpkg.sys
2012-01-23 18:01 . 2011-11-17 05:34        224768        ----a-w-        c:\windows\system32\schannel.dll
2012-01-23 18:01 . 2011-11-17 05:32        1038848        ----a-w-        c:\windows\system32\lsasrv.dll
2012-01-23 18:01 . 2011-11-17 05:41        67440        ----a-w-        c:\windows\system32\drivers\ksecdd.sys
2012-01-23 18:01 . 2011-11-17 05:39        369352        ----a-w-        c:\windows\system32\drivers\cng.sys
2012-01-23 18:01 . 2011-11-17 05:35        314880        ----a-w-        c:\windows\system32\webio.dll
2012-01-23 18:01 . 2011-11-17 05:34        15872        ----a-w-        c:\windows\system32\sspisrv.dll
2012-01-23 18:01 . 2011-11-17 05:34        100352        ----a-w-        c:\windows\system32\sspicli.dll
2012-01-23 18:01 . 2011-11-17 05:34        22016        ----a-w-        c:\windows\system32\secur32.dll
2012-01-23 18:01 . 2011-11-17 05:29        22528        ----a-w-        c:\windows\system32\lsass.exe
2012-01-22 16:49 . 2012-01-22 16:49        --------        d-----w-        c:\programdata\CanonIJWSpt
2012-01-22 16:49 . 2012-01-22 16:49        --------        d-----w-        c:\program files\Common Files\CANON
2012-01-22 16:48 . 2012-01-22 16:48        --------        d--h--w-        c:\programdata\CanonBJ
2012-01-22 16:48 . 2010-11-15 04:00        74752        ----a-w-        c:\windows\system32\Spool\prtprocs\w32x86\CNMPPAO.DLL
2012-01-22 16:48 . 2010-11-15 04:00        28672        ----a-w-        c:\windows\system32\Spool\prtprocs\w32x86\CNMPDAO.DLL
2012-01-22 16:47 . 2012-01-22 16:47        --------        d--h--w-        c:\windows\system32\CanonIJ Uninstaller Information
2012-01-22 16:47 . 2010-11-15 04:00        303104        ----a-w-        c:\windows\system32\CNMLMAO.DLL
2012-01-22 16:47 . 2010-09-07 10:58        180224        ----a-w-        c:\windows\system32\CNMIUAO.DLL
2012-01-22 16:45 . 2012-01-22 16:49        --------        d-----w-        c:\program files\Canon
2012-01-22 16:00 . 2012-02-01 08:47        --------        d-----w-        c:\users\Administrator
2012-01-21 11:21 . 2011-11-24 04:25        2342912        ----a-w-        c:\windows\system32\win32k.sys
2012-01-21 11:21 . 2011-11-05 04:26        2048        ----a-w-        c:\windows\system32\tzres.dll
2012-01-21 11:21 . 2011-11-19 14:01        67072        ----a-w-        c:\windows\system32\packager.dll
2012-01-21 11:21 . 2011-10-15 05:38        534528        ----a-w-        c:\windows\system32\EncDec.dll
2012-01-21 11:21 . 2011-10-26 04:28        38912        ----a-w-        c:\windows\system32\csrsrv.dll
2012-01-21 11:21 . 2011-10-26 04:32        514560        ----a-w-        c:\windows\system32\qdvd.dll
2012-01-21 11:21 . 2011-10-26 04:32        1328128        ----a-w-        c:\windows\system32\quartz.dll
2012-01-21 11:21 . 2011-10-26 04:47        3967856        ----a-w-        c:\windows\system32\ntkrnlpa.exe
2012-01-21 11:21 . 2011-10-26 04:47        3912560        ----a-w-        c:\windows\system32\ntoskrnl.exe
2012-01-03 07:22 . 2012-01-03 07:22        103864        ----a-w-        c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 07:22 . 2012-01-03 07:22        103864        ----a-w-        c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 09:08 . 2009-11-05 16:23        236576        ------w-        c:\windows\system32\MpSigStub.exe
2011-11-15 10:46 . 2011-05-28 14:35        414368        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2009-09-25 16:41 . 2009-09-25 16:41        1044480        ----a-w-        c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41        200704        ----a-w-        c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-01-30 22:12 . 2011-05-09 20:06        121816        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\berta\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\berta\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\berta\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\berta\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-07 1037608]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-03-04 1112072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^berta^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\berta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 09:07        843712        ----a-r-        c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51        37296        ----a-w-        c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-11-05 01:32        611712        ----a-w-        c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2010-07-26 02:08        2569616        ----a-w-        c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFPrint]
2011-04-28 08:59        220552        ----a-w-        c:\program files\pdf24\pdf24.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 136176]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 136176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-01 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-30 136360]
S2 McNeelUpdate;McNeel Update Service 5.0;c:\program files\McNeelUpdate\5.0\McNeelUpdateService.exe [2012-01-24 63688]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-12 66664]
S3 yukonw7;NDIS6.2-Miniporttreiber für Marvell Yukon-Ethernet-Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper        REG_MULTI_SZ          getPlusHelper
.
Inhalt des "geplante Tasks" Ordners
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 15:42]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 15:42]
.
.
------- Zusätzlicher Suchlauf -------
.
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 129.69.252.252 129.69.252.212 129.69.252.202
FF - ProfilePath - c:\users\berta\AppData\Roaming\Mozilla\Firefox\Profiles\yq7qk2sp.default\
FF - prefs.js: browser.startup.homepage - hxxp://web.de/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=240e99d1000000000000001d72c6cb76&tlver=1.4.35.10&affID=100842
FF - prefs.js: network.proxy.type - 4
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-SMSTray - c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe
MSConfigStartUp-Facebook Update - c:\users\berta\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-02-01  18:04:04
ComboFix-quarantined-files.txt  2012-02-01 17:04
.
Vor Suchlauf: 15 Verzeichnis(se), 62.611.869.696 Bytes frei
Nach Suchlauf: 20 Verzeichnis(se), 62.305.075.200 Bytes frei
.
- - End Of File - - C87C18504C56A5C8D82177D1814B94F5
--- --- ---

markusg 01.02.2012 18:22
malwarebytes öffnen, berichte, alle logs posten.

birrrd 02.02.2012 10:07
Hallo! Ich hatte Malwarebites schon wieder deinstalliert. Habe es jetzt aber nochmal drauf gemacht und den Quick Scan durchgeführt.

Hier die beiden Log-Dateien, die vorhanden waren:

protection-log-2012-02-01.txt:

2012/02/01 12:48:34 +0100 BERTA-PC berta MESSAGE Executing scheduled update: Daily
2012/02/01 12:48:42 +0100 BERTA-PC berta MESSAGE Scheduled update executed successfully: database updated from version v2012.02.01.02 to version v2012.02.01.03
2012/02/01 12:48:43 +0100 BERTA-PC berta MESSAGE Starting protection
2012/02/01 12:48:47 +0100 BERTA-PC berta MESSAGE Protection started successfully
2012/02/01 12:48:50 +0100 BERTA-PC berta MESSAGE Starting IP protection
2012/02/01 12:48:51 +0100 BERTA-PC berta MESSAGE IP Protection started successfully
2012/02/01 12:48:51 +0100 BERTA-PC berta MESSAGE Starting database refresh
2012/02/01 12:48:51 +0100 BERTA-PC berta MESSAGE Stopping IP protection
2012/02/01 12:51:03 +0100 BERTA-PC berta MESSAGE IP Protection stopped
2012/02/01 12:51:06 +0100 BERTA-PC berta MESSAGE Database refreshed successfully
2012/02/01 12:51:06 +0100 BERTA-PC berta MESSAGE Starting IP protection
2012/02/01 12:51:08 +0100 BERTA-PC berta MESSAGE IP Protection started successfully
2012/02/01 13:59:43 +0100 BERTA-PC berta MESSAGE Starting protection
2012/02/01 13:59:47 +0100 BERTA-PC berta MESSAGE Protection started successfully
2012/02/01 13:59:50 +0100 BERTA-PC berta MESSAGE Starting IP protection
2012/02/01 13:59:52 +0100 BERTA-PC berta MESSAGE IP Protection started successfully
2012/02/01 15:25:12 +0100 BERTA-PC berta MESSAGE Stopping IP protection
2012/02/01 15:27:30 +0100 BERTA-PC berta MESSAGE IP Protection stopped


mbam-log-2012-02-02 (09-44-12).txt:

Malwarebytes Anti-Malware (Test) 1.60.1.1000
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Datenbank Version: v2012.02.02.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
berta :: BERTA-PC [Administrator]

Schutz: Deaktiviert

02.02.2012 09:44:12
mbam-log-2012-02-02 (09-44-12).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 190041
Laufzeit: 7 Minute(n), 35 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

markusg 02.02.2012 12:19
bitte malwarebytes updaten, und einen vollständigen scan ausführen.

birrrd 04.02.2012 14:41
hallo!
ich glaube es müsste alles weg sein.
hab nochmal komplett gescannt und das hat er noch gefunden:

C:\Windows.old\Program Files\Gimp\GIMP-2.2\lib\gimp\2.0\plug-ins\autostretch_hsv.exe (Trojan.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\02012012_123507\C_Users\berta\AppData\Local\Temp\0.12995208779951317.exe (Trojan.Zbot) -> Erfolgreich gelöscht und in Quarantäne gestellt.
D:\Install\Clone CD\SetupCloneCD.exe (Trojan.Agent.CK) -> Erfolgreich gelöscht und in Quarantäne gestellt.

vielen vielen dank nochmal! ich hab echt die krise bekommen, als mein pc den virus bekommen hat und dank dieser super hilfe, hab ich es ja voll schnell wieder hinbekommen! gruß

markusg 04.02.2012 16:26
das komplette log bitte.


Alle Zeitangaben in WEZ +1. Es ist jetzt 10:31 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131